[Swan-dev] simplifying default IKEv1 IKE algorithms
Andrew Cagney
andrew.cagney at gmail.com
Fri Feb 3 16:19:10 UTC 2017
To make my question more concrete, here's the table used to generate
proposals when ike=... appears in an IKEv1 config file:
static const struct ike_alg *default_ikev1_groups[] = {
&oakley_group_modp2048.common,
&oakley_group_modp1536.common,
NULL,
};
static const struct ike_alg *default_ike_ealgs[] = { // technically never used
&ike_alg_encrypt_aes_cbc.common, // 256-bit then 128-bit
&ike_alg_encrypt_3des_cbc.common,
NULL,
};
static const struct ike_alg *default_ike_aalgs[] = {
&ike_alg_prf_sha2_256.common,
&ike_alg_prf_sha2_512.common,
&ike_alg_prf_sha1.common,
&ike_alg_prf_md5.common,
NULL,
};
(16 combinations)
and here's an equivalent table for when the ike=... line is omitted
from the config file (i.e., the out-of-the-box IKEv1 defaults):
static const struct ike_alg *default_ikev1_groups[] = {
&oakley_group_modp2048.common,
&oakley_group_modp1536.common,
&oakley_group_modp1024.common,
NULL,
};
static const struct ike_alg *default_ikev1_ealgs[] = {
&ike_alg_encrypt_aes_cbc.common, // 256-bit then 128-bit
&ike_alg_encrypt_3des_cbc.common,
NULL,
};
static const struct ike_alg *default_ikev1_aalgs[] = {
&ike_alg_prf_sha1.common,
&ike_alg_prf_md5.common,
NULL,
};
(12 combinations)
Should the second table be dropped and just the first used, that is:
- the only way to get modp1024 is to specify it explicitly
- sha2 appears in all defaults and is preferred to sha1 and md5
(of course FIPS prunes this list further)
On 19 January 2017 at 14:33, Andrew Cagney <andrew.cagney at gmail.com> wrote:
> (not IKEv2, not ESP)
>
> Currently, for IKEv1 IKE (phase1 I guess) has two different "defaults"
>
> - the ike= line is missing from the config
>
> hard wired magic in spdb.c constructs an exhaustive proposal list
> and dumps it onto the wire
> the proposals are not sanity checked, and stuff that isn't supported
> keeps being sent out
>
> The combinations are something like
> {aes256,aes128,des3}-{sha1,md5}-{modp2048,modp1536,modp1024} = 3*2*3 = 18
> but the exact details depend on the authentication being used
>
> - the ike= line is present but some algorithms are missing; for
> instance ike=aes is missing prf/integ and dh
>
> completely unrelated logic in plutoalg.c, fills in missing
> algorithms by enumerating over completely unrelated default values
> for DH, there is a sanity check to filter out invalid defaults (I
> need to apply that to the other cases)
>
> The current default is:
> *-{sha256,sha512,sha1,md5}-{modp2048,modp1536} (since an encryption
> algorithm is required for this case)
>
> Rather than trying to modify the first code path so that it filters
> out invalid defaults, I'd like to drop that code path entirely.
> Instead use the second code path to fill in the defaults when IKEv1
> and no ike= was specified
>
> Thoughts,
> Andrew
>
> Not IKEv2 IKE? it currently produces a very compact and very
> different proposal list, but that isn't to rule it out.
> Not ESP? That code path is very different.
More information about the Swan-dev
mailing list